Google Cloud’s serverless project has been used by a Latin American financially motivated threat group, codenamed FLUXROOT, to orchestrate credential phishing campaigns. Hacker News I reported it.
This incident is not an isolated one, as numerous criminals in cyberspace are misusing cloud computing services for malicious purposes, thus presenting IT and cyber security professionals with an urgent challenge in the field of cyber security.
Google’s semi-annual Threat Horizons Report explores the rise of serverless architectures and offers advice on what you need to know. As the report points out, the same aspects of serverless technology that benefit legitimate businesses are also appealing to cybercriminals: flexibility, low cost, and simplicity. Specifically, threat actors are leveraging this infrastructure as a service to spread malware, store and serve phishing pages, and run serverless-enabled scripts.
As for FLUXROOT, the group used Google Cloud container URLs to host sophisticated credential phishing pages. Their target was Mercado Pago, a highly popular online payment platform used in the Latin American region. The group’s operations relied on spoofing the platform’s login interface to harvest users’ login credentials and secure unauthorized access to victims’ financial accounts.
It is worth noting that FLUXROOT’s activity is not limited to this particular campaign. The group is also known for distributing the Grandoreiro information-stealing banking trojan, an advanced piece of malware aimed at financial operations. Recently, FLUXROOT’s tactics have shifted and they have been spotted using other legitimate cloud services, such as Microsoft Azure and Dropbox, to distribute their malware. Thus, their tactics have been successful and cloud services have become another way for the group to do “business.”
However, FLUXROOT is not the only threat actor exploiting Google’s cloud infrastructure. Another actor identified as PINEAPPLE has been observed using Google Cloud to distribute another strain of malware called Astaroth (also known as Guildma). This stealing malware primarily targets users in Brazil, highlighting the regional concentration of some of these attacks.
PINEAPPLE’s techniques included both compromising existing Google Cloud instances and creating their own projects. They used these resources to generate container URLs in legitimate Google Cloud serverless domains such as cloudfunctions(.)net and run.app. These URLs hosted landing pages that redirected unsuspecting targets to their malicious infrastructure to deploy the Astaroth malware.
Additionally, PINEAPPLE demonstrated advanced evasion techniques, such as using a mail forwarding service that did not remove messages that failed the Sender Policy Framework (SPF). The original code also included unexpected data (typically in the SMTP return path field) that triggered a timeout in a DNS request. The addition of this data also prevented email authentication tests by causing SPF checks to fail. These techniques are highly sophisticated and demonstrate the speed at which cyber capabilities are growing.
Google has taken decisive action in response to these threats: the tech giant shut down identified malicious Google Cloud projects and updated its Safe Browsing list to protect users, but the incident highlights the ongoing cat-and-mouse game between cybersecurity defenders and threat actors in the cloud space.
The weaponization of cloud services and infrastructure by cybercriminals is not limited to phishing and malware distribution. Other malicious activities such as illicit cryptocurrency mining and ransomware attacks exploiting weak configurations are also proliferating in cloud environments. This trend is largely due to the widespread adoption of cloud technology across various industries.
One of the most significant challenges presented by this change is that malicious activity will become increasingly difficult to detect. By leveraging legitimate cloud services, threat actors can easily blend their activities into regular network traffic, making it more difficult for security teams to distinguish between legitimate and malicious activity.
Either way, given the current pace of cloud adoption, it is clear that both cloud providers and their consumers need to remain vigilant, regardless of whether the vectors are uncontrolled. Regular security audits, solid authentication measures, and state-of-the-art threat detection systems are becoming prerequisites for a secure cloud environment. Tomorrow’s attacks will never be the same as yesterday’s, and neither will our tools against them.
See also: Alphabet beats expectations for second-quarter revenue and profit amid strong ad demand
Want to learn more about cybersecurity and cloud from industry leaders? Check out the Cyber Security & Cloud Expo in Amsterdam, California, and London. Find out about other upcoming enterprise technology events and webinars hosted by TechForge here.
